Most IFA firms have, somewhere in their documentation, an incident response plan. A two-page document that describes what the firm will do if a cyber incident occurs. Many of those documents were produced by the IT provider or downloaded from a template. Very few have ever been reviewed by the managing director. Almost none have been tested. A plan that has never been tested is not a plan. It is a document.

What a tabletop exercise actually is

A tabletop exercise is a facilitated discussion in which key individuals in the firm work through a realistic incident scenario in real time. It is not a technical simulation. There is no live system attack, no actual data breach and no disruption to operations. It is a structured conversation - typically 60 to 90 minutes - that asks the participants to respond to an unfolding scenario as if it were happening now.

The scenario is shared in advance, but the specific events are introduced during the session. Participants are asked to make decisions, identify information gaps and work through the governance steps they would take in a real incident. The facilitator introduces complications - a key person is unavailable, the IT provider is not responding, a client has already called - and observes how the team responds.

The FCA's operational resilience framework explicitly requires firms to test their ability to remain within impact tolerances during severe disruption. A facilitated tabletop exercise is one of the most practical and cost-effective forms of that testing - and the output provides documented evidence of tested IR capability for both the FCA compliance file and the cyber insurance renewal conversation.

The four scenarios GOIA uses

GOIA draws on four scenarios for its bi-annual tabletop exercises, selected based on the client firm's most significant domain findings from their most recent Executive Review.

Scenario A is a ransomware attack in which advisers are locked out of the client data system. The scenario introduces questions about which services are affected, what the recovery timeline is, how clients are communicated with, when the FCA must be notified and how the insurer is engaged. For most IFA firms, the gap that surfaces first is that nobody knows the answer to the question: "How long before we can restore access to client records?"

Scenario B is an email compromise in which a fraudulent payment instruction, apparently from a senior adviser, has been sent to a client. The scenario introduces questions about how the instruction is identified, how the client is contacted, whether funds can be recalled, what the firm's liability position is and how the incident is recorded against the firm's Consumer Duty obligations.

Scenario C is a data breach in which client personal data has been exposed through an unsecured third-party platform. The scenario works through ICO notification obligations, client communication, regulatory reporting to the FCA and the governance documentation that the firm needs to produce within 72 hours.

Scenario D is an IT supplier incident in which the firm's MSP has suffered a significant cyber attack affecting multiple clients simultaneously. The scenario explores the firm's third-party dependencies, its understanding of the MSP's own incident response process and its ability to maintain Important Business Services independently of the supplier.

What the exercise reveals

In every tabletop exercise GOIA has facilitated, the same gaps appear. The first is that the people who are meant to lead the firm's response to an incident do not have a shared understanding of what the first step is. The managing director assumes the IT provider takes the lead. The IT provider assumes they have been authorised to act. The compliance lead does not know when the FCA obligation to notify is triggered.

The second gap is contact information. The exercise asks participants to call the IT provider's emergency line. Nobody knows the number. The insurer's notification contact details are in a policy document that nobody can locate quickly. The ICO's online notification portal requires an account that nobody has created.

The third gap is board awareness. The exercise asks the participants to brief the board. In most IFA firms, the "board" and the "senior management team" are the same people - but the governance discipline of a board-level briefing has never been practiced. The exercise reveals that there is no documented protocol for board escalation during an incident.

What the exercise produces

At the end of each GOIA tabletop exercise, the facilitator produces a one-page Lessons Learned summary that documents the gaps identified and the specific actions needed to address them. The incident response plan is updated to reflect those gaps. A board-ready summary is produced for inclusion in the quarterly board report.

This output serves three purposes: it documents tested IR capability for the FCA compliance file, it provides concrete evidence for the cyber insurer that the firm has tested its response procedures and it gives the board a realistic picture of the firm's actual readiness - not its theoretical readiness.